grsecurity

Home

Download

Documentation

Features

Support

Links

Donations

Sponsors

Books

Research

Papers

Contact

More News >>

Stable:

2.2.2-2.6.32.56
Last updated: 02/03/12

Test:

2.2.2-3.2.4
Last updated: 02/03/12

grsecurity 2.0 RBAC features

Role-Based Access Control
User, group, and special roles
Domain support for users and groups
Role transition tables
IP-based roles
Non-root access to special roles
Special roles that require no authentication
Nested subjects
Variable support in configuration
And, or, and difference set operations on variables in configuration
Object mode that controls the creation of setuid and setgid files
Create and delete object modes
Kernel interpretation of inheritance
Real-time regular-expression resolution
Ability to deny ptraces to specific processes
User and group transition checking and enforcement on an inclusive or exclusive basis
/dev/grsec entry for kernel authentication and learning logs
Next-generation code that produces least-privilege policies for the entire system with no configuration
Policy statistics for gradm
Inheritance-based learning
Learning configuration file that allows the administrator to enable inheritance-based learning or disable learning on specific paths
Full pathnames for offending process and parent process
RBAC status function for gradm
/proc/<pid>/ipaddr gives the remote address of the person who started a given process
Secure policy enforcement
Supports read, write, append, execute, view, and read-only ptrace object permissions
Supports hide, protect, and override subject flags
Supports the PaX flags
Capability auditing and log suppression
Shared memory protection feature
Integrated local attack response on all alerts
Subject flag that ensures a process can never execute trojaned code
Full-featured fine-grained auditing
Resource, socket, and capability support
Protection against exploit bruteforcing
/proc/pid filedescriptor/memory protection
Rules can be placed on non-existent files/processes
Policy regeneration on subjects and objects
Configurable log suppression
Configurable process accounting
Human-readable configuration
Not filesystem or architecture dependent
Scales well: supports as many policies as memory can handle with the same performance hit
No runtime memory allocation
SMP safe
O(1) time efficiency for most operations
Include directive for specifying additional policies
Enable, disable, reload capabilities
Option to hide kernel processes
Force applications to use specified source IPs (useful for chrooted environments

Chroot restrictions

No attaching shared memory outside of chroot
No kill outside of chroot
No ptrace outside of chroot (architecture independent)
No capget outside of chroot
No setpgid outside of chroot
No getpgid outside of chroot
No getsid outside of chroot
No sending of signals by fcntl outside of chroot
No viewing of any process outside of chroot, even if /proc is mounted
No mounting or remounting
No pivot_root
No double chroot
No fchdir out of chroot
Enforced chdir("/") upon chroot
No (f)chmod +s
No mknod
No sysctl writes
No raising of scheduler priority
No connecting to abstract unix domain sockets outside of chroot
Removal of harmful privileges via capabilities
Exec logging within chroot

Address space modification protection

PaX: Page-based implementation of non-executable user pages for i386, sparc, sparc64, alpha, parisc, amd64, ia64, ppc, avr32, and arm; negligible performance hit on all i386 CPUs but Pentium 4
PaX: Segmentation-based implementation of non-executable user pages for i386 with no performance hit
PaX: Segmentation-based implementation of non-executable KERNEL pages for i386
PaX: Mprotect restrictions prevent new code from entering a task
PaX: Randomization of stack and mmap base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, ppc, mips, and arm
PaX: Randomization of heap base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, ppc, mips, and arm
PaX: Randomization of kernel stack
PaX: Protection against exploitation of all null ptr dereference bugs
PaX: Protection against exploitation of refcount overflow bugs
PaX: Physical memory sanitization to reduce severity of kernel infoleaks and deter some heap exploitation vectors
PaX: Bounds checking on kernel objects when copying to/from userland
PaX: Automatically emulate sigreturn trampolines (for libc5, glibc 2.0, uClibc, Modula-3 compatibility)
PaX: No ELF .text relocations
PaX: Trampoline emulation (GCC and linux sigreturn)
PaX: PLT emulation for non-i386 archs
No kernel modification via /dev/mem, /dev/kmem, or /dev/port
Option to disable use of raw I/O
Removal of addresses from /proc/<pid>/[maps|stat]

Auditing features

Option to specify single group to audit
Exec logging with arguments
Denied resource logging
Chdir logging
Mount and unmount logging
IPC creation/removal logging
Signal logging
Failed fork logging
Time change logging
RWX map logging

Other features

/proc restrictions that don't leak information about process owners
Symlink/hardlink restrictions to prevent /tmp races
FIFO restrictions
Dmesg(8) restriction
Enhanced implementation of Trusted Path Execution
TCP/UDP Blackholing
Prevention of ptrace-based malicious process/tty sniffers
Module auto-loading restrictions for non-root users
Hiding of kernel symbols from non-root users, as well as auto-lockdown of common paths containing symbol mappings or kernel images
GID-based socket restrictions
Nearly all options are sysctl-tunable, with a locking mechanism
All alerts and audits support a feature that logs the IP address of the attacker with the log
Stream connections across unix domain sockets carry the attacker's IP address with them (on 2.4 only)
Detection of local connections: copies attacker's IP address to the other task
Automatic deterrence of exploit bruteforcing
Low, Medium, High, and Custom security levels
Tunable flood-time and burst for logging
Netfilter module for matching packets based on whether the RBAC system is enabled or not

Site design by Hal Bergman